This is deliberate. AWS China provides only a selection from the complete list of AWS rest-of-world services. Some of the services that are available only have a subset of features, namely Virtual Private Network (VPN) under VPC.
Regions in AWS China
AWS China is comprised of two regions. Each region is operated by a separate company:
Both regions are connected via backbone. Yet, neither of these regions is linked to the AWS global backbone. This is essential to comply with the legal and regulatory mandates in China.
Cross-Border VPC connections
Because AWS China does not have the VPN services that you would find in AWS rest-of-world, there is no possibility to setup a Site-to-Site or Client VPN natively.
Any traffic that appears to come from a VPN and which passes through the Great Firewall (GFW) is likely to be blacklisted and blocked within 24 hours or sooner.
There are however multiple options to create a Cross-Border VPC connection (backbone) using the available services in AWS China.
AWS Direct Connect
An alternative method for establishing a Cross-Border VPC connection involves seeking support from a designated set of Chinese Internet Service Providers (ISPs). This entails making a declaration that no prohibited traffic will be hosted, along with monthly expenses.
China Telecom Global (CTG), at the time of writing, provides the following connections between the regions Frankfurt and Beijing:
- 10Mbps single – $750 per month
- 1000Mbps single – $26,800 per month
The possibility of implementing a redundant connection is available, with the associated expenses nearly doubling compared to a single connection of the same speed.
While this solution does provide a considerable peace of mind, the associated cost is notably higher than that of certain alternatives.
Stunnel
An alternative approach involves establishing a tunnel between two EC2 instances, providing a presence in both regions. This can be accomplished using Stunnel, enabling the tunneling of TCP traffic with SSL encryption. Stunnel operates as a proxy on EC2 instances, directing specific traffic based on predefined routes.
A key factor to take into account is the instance type, as it dictates both the baseline and burst network bandwidth.
Due to the communication occurring between two instances situated in distinct regions, the baseline network performance is either halved or capped at 5Gbps, depending on the instance type.
The limiting factor is likely to be the network bandwidth available to the EC2 instances, not Stunnel. See Stunnel performance data.
The network bandwidth will be directly affected by the overall network usage in both the destination and target AWS Availability Zones and the route through the internet at any given moment. For tasks dependent on bandwidth, this may not be the most favorable option.
Despite the aforementioned points, this approach grants you authority over the inter-regional connection, guaranteeing unimpeded traffic to the destination without encountering restrictions from the Great Firewall (GFW). Moreover, the financial expense associated with this solution is significantly more economical compared to alternatives.
Conclusion
There is no one-size-fits-all solution. Each use case will present unique requirements. The appropriateness of different approaches should be assessed considering factors such as complexity, cost, reliability, and throughput.
Benjamin Schlagbauer
Benjamin Schlagbauer is a Linux Consultant specialized in Cloud Computing. His main areas of focus are the conception & construction of Cloud environments.